SQL Servers Abused by Trigona Ransomware
Attackers are abusing publicly available Microsoft SQL servers to install Trigona ransomware payloads and encrypt all files. By using account credentials that are simple to guess, brute-force or dictionary attacks are being used to access the MS-SQL servers.
After successfully connecting to a server, the threat actors deploy the malware called CLR Shell, a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers.
The malware is used for harvesting system information by altering the compromised accounts configuration and escalating privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service
After the completion of the first stage, the attackers install and launch a dropper malware as the svcservice.exe service, used to launch the Trigona ransomware as svchost.exe.
In order to make the PCs would remain encrypted even after a reboot, they additionally configure the ransomware program to automatically activate on each system restart through a Windows autorun key.
The malware disables system recovery and deletes any Windows Volume Shadow copies before encrypting the system and delivering ransom notes, making recovery impossible without the decryption key.
Trigona encrypts all files on the victims’ devices they breach, except for those in specific folders, including the Windows and Program Files directories. Every locked file has the victim ID, the campaign ID, and the encrypted decryption key embedded in it. The ransomware also renames encrypted files by appending the .locked extension to them.
Along with creating ransom notes with details on the attack, a link to the Trigona Tor negotiation website, and a link with the authorization key required to log into the negotiation site, it also creates files named “how_to_decrypt.hta” in each folder.